diff options
| author | Alejandro Colomar <alx@kernel.org> | 2023-02-05 23:14:38 +0100 |
|---|---|---|
| committer | Alejandro Colomar <alx@kernel.org> | 2023-02-05 23:14:42 +0100 |
| commit | cdede5cdd1b0ba75135d3b32d96354026e96f866 (patch) | |
| tree | f21d7604d25b2de607ef5471e5e180094231e046 /man7/user_namespaces.7 | |
| parent | f29fc8dcf0da15a596a7cdc7e5a0b2932100b522 (diff) | |
| download | man-pages-cdede5cdd1b0ba75135d3b32d96354026e96f866.tar.gz | |
Many pages: Use \[bu] instead of \(bu
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Diffstat (limited to 'man7/user_namespaces.7')
| -rw-r--r-- | man7/user_namespaces.7 | 58 |
1 files changed, 29 insertions, 29 deletions
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 index 6011829d9a..6647b02bf7 100644 --- a/man7/user_namespaces.7 +++ b/man7/user_namespaces.7 @@ -157,7 +157,7 @@ its original user namespace. .PP The rules for determining whether or not a process has a capability in a particular user namespace are as follows: -.IP \(bu 3 +.IP \[bu] 3 A process has a capability inside a user namespace if it is a member of that namespace and it has the capability in its effective capability set. @@ -173,11 +173,11 @@ or .BR setns (2), as already described. .\" In the 3.8 sources, see security/commoncap.c::cap_capable(): -.IP \(bu +.IP \[bu] If a process has a capability in a user namespace, then it has that capability in all child (and further removed descendant) namespaces as well. -.IP \(bu +.IP \[bu] .\" * The owner of the user namespace in the parent of the .\" * user namespace has all caps. When a user namespace is created, the kernel records the effective @@ -234,29 +234,29 @@ and mount the following types of filesystems: .PP .RS 4 .PD 0 -.IP \(bu 3 +.IP \[bu] 3 .I /proc (since Linux 3.8) -.IP \(bu +.IP \[bu] .I /sys (since Linux 3.8) -.IP \(bu +.IP \[bu] .I devpts (since Linux 3.9) -.IP \(bu +.IP \[bu] .BR tmpfs (5) (since Linux 3.9) -.IP \(bu +.IP \[bu] .I ramfs (since Linux 3.9) -.IP \(bu +.IP \[bu] .I mqueue (since Linux 3.9) -.IP \(bu +.IP \[bu] .I bpf .\" commit b2197755b2633e164a439682fb05a9b5ea48f706 (since Linux 4.4) -.IP \(bu +.IP \[bu] .I overlayfs .\" commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f .\" commit 4cb2c00c43b3fe88b32f29df4f76da1b92c33224 @@ -499,12 +499,12 @@ The lines written to .I uid_map .RI ( gid_map ) must conform to the following validity rules: -.IP \(bu 3 +.IP \[bu] 3 The three fields must be valid numbers, and the last field must be greater than 0. -.IP \(bu +.IP \[bu] Lines are terminated by newline characters. -.IP \(bu +.IP \[bu] There is a limit on the number of lines in the file. In Linux 4.14 and earlier, this limit was (arbitrarily) .\" 5*12-byte records could fit in a 64B cache line @@ -519,7 +519,7 @@ and the write must be performed at the start of the file (i.e., and .BR pwrite (2) can't be used to write to nonzero offsets in the file). -.IP \(bu +.IP \[bu] The range of user IDs (group IDs) specified in each line cannot overlap with the ranges in any other lines. @@ -532,7 +532,7 @@ which prevented some otherwise valid maps from being created. Linux 3.9 and later .\" commit 0bd14b4fd72afd5df41e9fd59f356740f22fceba fix this limitation, allowing any valid set of nonoverlapping maps. -.IP \(bu +.IP \[bu] At least one line must be written to the file. .PP Writes that violate the above rules fail with the error @@ -542,21 +542,21 @@ In order for a process to write to the .IR /proc/ pid /uid_map .RI ( /proc/ pid /gid_map ) file, all of the following permission requirements must be met: -.IP \(bu 3 +.IP \[bu] 3 The writing process must have the .B CAP_SETUID .RB ( CAP_SETGID ) capability in the user namespace of the process .IR pid . -.IP \(bu +.IP \[bu] The writing process must either be in the user namespace of the process .I pid or be in the parent user namespace of the process .IR pid . -.IP \(bu +.IP \[bu] The mapped user IDs (group IDs) must in turn have a mapping in the parent user namespace. -.IP \(bu +.IP \[bu] If updating .IR /proc/ pid /uid_map to create a mapping that maps UID 0 in the parent namespace, @@ -598,7 +598,7 @@ capability, it could create a binary with namespaced file capabilities that would then be effective in the parent user namespace (because the root user IDs are the same in the two namespaces). .RE -.IP \(bu +.IP \[bu] One of the following two cases applies: .RS .IP (a) 5 @@ -610,7 +610,7 @@ capability in the .I parent user namespace. .RS -.IP \(bu 3 +.IP \[bu] 3 No further restrictions apply: the process can make mappings to arbitrary user IDs (group IDs) in the parent user namespace. @@ -619,7 +619,7 @@ in the parent user namespace. .I Or otherwise all of the following restrictions apply: .RS -.IP \(bu 3 +.IP \[bu] 3 The data written to .I uid_map .RI ( gid_map ) @@ -627,10 +627,10 @@ must consist of a single line that maps the writing process's effective user ID (group ID) in the parent user namespace to a user ID (group ID) in the user namespace. -.IP \(bu +.IP \[bu] The writing process must have the same effective user ID as the process that created the user namespace. -.IP \(bu +.IP \[bu] In the case of .IR gid_map , use of the @@ -675,12 +675,12 @@ to fail with the error The permission rules for writing to the .IR /proc/ pid /projid_map file are as follows: -.IP \(bu 3 +.IP \[bu] 3 The writing process must either be in the user namespace of the process .I pid or be in the parent user namespace of the process .IR pid . -.IP \(bu +.IP \[bu] The mapped project IDs must in turn have a mapping in the parent user namespace. .PP @@ -965,9 +965,9 @@ Within a user namespace, these capabilities allow a process to bypass the rules if the process has the relevant capability over the file, meaning that: -.IP \(bu 3 +.IP \[bu] 3 the process has the relevant effective capability in its user namespace; and -.IP \(bu +.IP \[bu] the file's user ID and group ID both have valid mappings in the user namespace. .PP |